Vectra Research Finds Most Cyberattacks Against the Energy and Utilities Industry Transpire and Thrive Inside Enterprise IT Networks Rather Than Critical Infrastructure
Vectra, the leader in AI-powered cyberattack detection and threat hunting, announced that while industrial control systems are in the crosshairs, most cyberattacks against energy and utilities firms occur and succeed inside enterprise IT networks, not in the critical infrastructure.
Published in the Vectra 2018 Spotlight Report on Energy and Utilities, these and other key findings underscore the importance of detecting hidden threat behaviors inside enterprise IT networks before cyberattackers have a chance to spy, spread and steal. These threat behaviors reveal that carefully orchestrated attack campaigns occur over many months.
Cybercriminals have been launching carefully orchestrated attack campaigns against energy and utilities networks for years. Often lasting several months, these slow, quiet reconnaissance missions involve observing operator behaviors and building a unique plan of attack.
“When attackers move laterally inside a network, it exposes a larger attack surface that increases the risk of data acquisition and exfiltration,” said Branndon Kelley, CIO of American Municipal Power, a nonprofit electric-power generator utility that serves municipalities in nine states that own their own electric system. “It’s imperative to monitor all network traffic to detect these and other attacker behaviors early and consistently.”
Remote attackers typically gain a foothold in energy and utilities networks by staging malware and spear-phishing to steal administrative credentials. Once inside, they use administrative connections and protocols to perform reconnaissance and spread laterally in search of confidential data about industrial control systems.
“The covert abuse of administrative credentials provides attackers with unconstrained access to critical infrastructure systems and data,” said David Monahan, managing research director of security and risk management at Enterprise Management Associates. “This is one of the most crucial risk areas in the cyberattack lifecycle.”
Other key findings in the 2018 Spotlight Report on Energy and Utilities include:
- During the command-and-control phase of attack, 194 malicious external remote access behaviors were detected per 10,000 host devices and workloads.
- 314 lateral movement attack behaviors were detected per 10,000 host devices and workloads.
- In the exfiltration phase of the cyberattack lifecycle, 293 data smuggler behaviors were detected per 10,000 host devices and workloads.
The 2018 Spotlight Report from Vectra is based on observations and data from the 2018 Black Hat Conference Edition of the Attacker Behavior Industry Report, which reveals attacker behaviors and trends in networks from over 250 opt-in enterprise organizations in energy and utilities, as well as eight other industries.
From January through June 2018, the Cognito threat-detection and hunting platform from Vectra monitored network traffic and collected metadata from more than 4 million devices and workloads from customer cloud, data center and enterprise environments. The analysis of this metadata provides a better understanding about attacker behaviors and trends as well as business risks, enabling Vectra customers to avoid catastrophic data breaches.
The Cognito platform from Vectra enables enterprises to automatically detect and hunt for cyberattacks in real time. Cognito uses AI to perform non-stop, automated threat hunting with always-learning behavioral models to quickly and efficiently find hidden and unknown attackers before they do damage. Cognito provides full visibility into cyberattacker behaviors from cloud and data center workloads to user and IoT devices, leaving attackers with nowhere to hide.
Cognito Detect and its AI counterpart, Cognito Recall, are the cornerstones of the Cognito platform. Cognito Detect automates the real-time detection of hidden attackers while giving Cognito Recall a logical starting point to perform AI-assisted threat hunting and conduct conclusive incident investigations.